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Executive  Summary 


Ninety  eight  participants  from  the  US,  EC,  Canada,  and  Japan  representing 
government  agencies,  both  defense  and  civil,  private  corporations,  evaluators,  users, 
and  vendors  of  trusted  products  met  to  discuss  the  concept  of  developmental 
assurance. 

Very  few  representatives  from  the  vendor  community  participated  in  the  workshop. 
This  is  an  area  of  concern.  It  was  suggested  that  a second  workshop  be  held  with  only 
vendors  in  attendance. 

The  majority  of  the  participants  felt  that  the  concept  of  developmental  assurance  was 
valid.  However,  the  participants  suggested  a cautiously  optomistic  approach  to  the 
implementation  of  a developmental  assurance  scheme. 

The  participants  thought  developmental  assurance  is  a promising  concept  but  it  is  as 
yet  unproven.  A great  deal  of  study  is  needed  to  validate  the  concept. 

The  participants  recommended  that  all  future  developmental  assurance  work  take  place 
on  the  international  level.  The  results  of  any  developmental  assurance  scheme  should 
be  exchangeable,  repeatable  and  provide  reciprocity.  It  was  recommended  that  an 
international  working  group  for  developmental  assurance  be  established. 

The  developmental  assurance  concept  must  first  be  proven  at  the  lower  levels  of  trust. 
Developmental  assurance  may  provide  a level  of  assurance  that  approaches  the 
current  C2/E2.  If  this  Is  possible,  developmental  assurance  may  then  be  extended  to 
the  higher  levels  of  trust. 

Developmental  assurance  may  not  replace  third  party  evaluations  completely  but  may 
help  to  speed  up  the  evaluation  process.  Developmental  assurance  In  combination 
with  third  party  evaluation  may  provide  a useful  level  of  assurance  In  a more 
reasonable  period  of  time. 
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Introduction 


The  International  Invitational  Workshop  on  Developmental  Assurance  was  held  June 
16-17,  1994  at  the  Turf  Valley  Hotel  and  Country  Club  in  Ellicott  City,  Maryland.  The 
Workshop  was  sponsored  by  the  National  Institute  of  Standards  and  Technology 
(NIST),  the  National  Security  Agency  (NSA),  the  Canadian  Communications  Security 
Establishment  (CSE),  and  the  European  Commission  (EC).  Ninety  eight  participants 
representing  government  agencies,  private  corporations,  evaluators,  purchasers  and 
vendors  of  trusted  products  took  part. 


Formulation  of  the  Developmental  Assurance  Concept 

In  November  1993,  a meeting  of  senior  execuitves  from  NIST,  NSA,  CSE,  and  the  EC 
was  held  at  NIST.  The  senior  executives  discussed  various  alternatives  to  the  third 
party  evaluation  scheme.  Third  party  evaluations  tend  to  be  expensive  and  resource 
consuming.  The  senior  executives  agreed  that  some  assurrance  may  be  gained  from 
reliance  on  the  development  process.  If  a vendor  was  to  follow  and  document  a 
particular  development  method,  a level  of  assurance  may  be  gained.  That  Is  not  to  say 
that  the  governments  would  require  that  a vendor  follow  a particular  development 
process  but  that  the  process  followed  by  a vendor  be  documented  and  repeatable.  The 
vendor  would  demonstrate  the  security  enhancing  features  of  the  process  used  during 
development.  Therefore,  a level  of  assurance  could  be  gained  from  the  development 
process  itself. 

The  senior  executives  agreed  that  developmental  assurance  may  provide  an  adequate 
level  of  assurance  for  some  users,  particularily  those  in  the  commercial  and  civil 
sectors.  It  was  also  agreed  that  while  developmental  assurance  may  approach  a level 
of  assurance  close  to  C2/E2  that  a great  deal  of  research  needs  to  be  done. 


Call  for  Papers 

In  January  1994  a call  for  papers  was  issued  requesting  thought  on  developmental 
assurance.  Seventy-seven  papers  were  recleved  and  the  authors  were  Invited  to 
participate  in  the  Developmental  Assurnace  Workshop. 

The  papers  received  covered  a wide  variety  of  topics  including: 

Approaches  to  Developmental  Assurance 

Operationsal  perspectives 

Commercial  Products 

Tactical  Systems 

The  Information  Highway 

Security  Engineering  Capability  Maturity  Model 
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Common  Criteria 
Relationship  to  Evaluation 
Quality  Assurance 

Although  the  accepted  papers  are  not  published  in  these  proceedings  a list  of  the 
papers  is  in  contained  in  Appendix  A. 


Format  of  the  Workshop 

The  papers  received  were  of  an  extremely  diverse  nature  and  reflected  individual 
perspectives,  environments  and  experiences.  It  was  clear  from  the  papers  that  there 
was  a disparate  understanding  of  the  definition  of  developmental  assurance.  The 
workshop  participants  needed  to  clearly  define  their  understanding  of  the 
developmental  assurance  concept.  The  workshop  committe  organized  the  workshop 
into  areas  for  discussion.  These  areas  included: 

Metrics  - How  can  developmental  assurance  be  measured?  How  can  we  establish 
useful  metrics  that  are  meaningful  to  the  security  community  in  the  civil,  defense  and 
private  sectors? 

Process  - What  process  could  be  used  to  measure  developmental  assurance?  Could 
SEI  or  the  Security  Engineering  Capability  Maturity  Model  be  used?  Are  there  other 
approaches  which  may  be  appropriate? 

Tradeoffs  - How  does  developmental  assurance  relate  to  other  methods  of  gaining 
assurance  such  as  evaluation? 

Assurance  based  on  “people”  - Can  some  level  of  assurance  be  gained  based  on  the 
people  Involved?  Does  developmental  assurance  mean  "certifying”  in  some  way  the 
people  that  perform  the  devlopment  OR  does  It  mean  “certifying”  the  development 
process  itself  OR  some  combination  of  the  two.  How  does  quality  assurance  play  into 
developmental  assurance?  Does  quality  add  to  the  security  of  a product  or  system  in 
any  meaningful  way? 

Low/High  Assurance  - Are  the  needs  the  same?  At  what  current  level  of  assurance 
(C2?,  E2?)  would  developmental  assurance  be  useful/meaningful?  Is  developmental 
assurance  appropriate  at  the  higher  assurance  levels?  Could  developmental 
assurance  be  a building  block  towards  higher  assurance  level? 

The  attendees  were  randomly  assigned  to  small  working  groups  In  which  they 
discussed  the  above  topics. 
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Conclusions  & Recommendations 


General  Summary 

In  general,  the  majority  of  the  workshop  participants  agreed  that  the  concept  of 
developmental  assurance  is  valid  and  potentially  valuable.  Use  of  notions  described  in 
the  developmental  assurance  concept  could  provide  benefits  to  the  overall  evaluation 
process. 

Developmental  assurance  must  be  further  investigated  at  the  international  level.  The 
Workshop  participants  were  very  concerned  about  individual  countries  moving  ahead 
on  this  concept  without  harmonization.  Several  participants  stated  the  need  to  work 
closely  together  as  an  International  community. 


Potential  Benefits 

The  Workshop  attendees  noted  several  potential  benefits  from  the  use  of  a 
developmental  assurance  scheme.  Evaluations  of  both  products  and  systems  would  be 
possible  under  a developmental  assurance  scheme.  Developmental  assurance  may 
result  in  major  cost  reductions  for  third  party  evaluations. 

The  workshop  participants  also  believed  that  the  use  of  developmental  assurance  may 
result  In  the  acceleration  of  third  party  evaluations.  If  developmental  assurance  can 
help  to  provide  the  necessary  documentation,  this  may  in  turn  help  to  speed  up  the 
evaluation  process  conducted  by  a third  party. 

Developmental  assurance  may  also  be  useful  In  cutting  the  cost  and  time  required  for 
the  accreditation  process.  The  outputs  of  developmental  assurance  may  provide  some 
very  useful  Information  to  certifiers  and  accreditors. 

By  shifting  some  of  the  evaluation  workload  to  organizations  performing  developmental 
assurance,  evaluations  may  be  completed  in  a more  timely  manner.  Developmental 
assurance  may  also  be  very  useful  in  causing  improvements  to  re-evaluation,  and 
maintenance  of  evaluation  ratings. 

It  was  suggested  that  the  use  of  developmental  assurance  as  a alternative  to  third  party 
evaluations  may  reduce  or  eliminate  misleading  evaluation  rating  claims.  Such  claims 
as  “designed  to  meet”  and  “C2-like”  can  be  misleading  and  confusing  the  to 
consumer. 
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A scheme  which  encompasses  developmental  assurance  will  broaden  the  availability  of 
security  expertise  and  practice.  Evaluation  expertise  will  be  spread  to  other  ‘ 
organizations  outside  the  government  agencies.  This  may  help  to  foster  a wider 
community  of  computer  security  professionals 

Developmental  assurance  may  also  result  in  greater  availability  of  low  assurance 
evaluated  products,  and  a consequent  increase  in  awareness  and  demand.  If  more 
organizations  have  the  expertise  to  perform  evaluations  then  the  number  of  evaluated 
products  will  Increase. 


Levels  of  Assurance 

Precise  bounds  of  applicability  and  achievable  levels  of  developmental  assurance  need 
further  Investigation.  Developmental  assurance  should  be  introduced  with  lower  level 
goals  and,  if  successful,  migrate  upwards  to  the  higher  levels  of  trust. 


Relationship  to  Third  Party  Evaluations 

The  combination  of  developmental  assurance  products,  and  developmental  assurance 
with  third  party  evaluation  products  should  be  feasible,  but  requires  further  study.  The 
effect  on  and  relationship  with  liabilities  and  insurance  requires  study. 


Effect  on  competition  may  have  benefits  and  disadvantages. 

The  developmental  assurance  scheme  must  fit  naturally  into  current  commercial  activity 
and  operations,  and  align  with  (and  anticipate)  industry  trends.  Although  third  party 
evaluation  by  Commercial  Licensened  Evaluation  Facilities  (CLEFs)  was  seen  as 
providing  Improved  throughput,  it  was  not  seen  as  responding  to  general  commercial 
needs  for  products 

It  was  generally  agreed  that  there  would  be  continuing  requirement  for  third  party 
evaluation.  Developmental  assurance  would  not  replace  third  party  evaluations  but 
serve  as  a portion  of  the  evaluation  process.  Use  of  Developmental  assurance  could 
potentially  reduce  the  length  of  time  required  for  a third  party  evaluation. 
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Proposed  Model 


The  Workshop  Participants  envisioned  a four  tiered  approach  to  operating  a 
developmental  assurance  scheme. 

First,  an  international  body  will  set  standards  and  oversee  the  operation  of  the  national 
bodies. 

Second,  the  national  bodies  will  regulate  the  operation  of  licensing  agents  in  their 
individual  areas. 

Third,  the  Europeans  CLEFs  could  form  the  basis  of  a model  for  a licensing  agent. 
The  CLEFs  under  this  model,  would  be  authorized  to  approve,  license  and  audit  the 
Developmental  assurance  process  of  vendor  and  potentially  system  integrators. 

Fourth,  the  vendors  and  integrators  would  develop  and  deliver  products,  components 
and  systems  that  carry  their  evaluation  marking  or  warranty.  This  might  take  the  form 
of  a multi-factor  evaluation  vector  rather  than  a simple  passed  indicator. 

Additionally  a mechanism  for  appeals  and  interpretations  would  be  developed.  The 
appeal  process  could  operate  either  under  the  national  or  International  schemes.  The 
process  of  interpretation  of  developmental  assurance  reqlrements  must  take  place  at 
the  international  level  In  order  to  prevent  conflicting  Interpretations. 


Criteria  Base 

There  was  a great  deal  of  discussion  about  the  criteria  to  be  used  for  developmental 
assurance.  It  was  the  common  view  that  a criteria  must  be  established,  possibly 
through  the  Common  Criteria. 

There  are  many  specific  requirements  for  developmental  assurance  that  may  need  to 
be  handled  in  separate  documentation. 
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Possible  Methodologies  and  Approaches 


The  developmental  assurance  workshop  did  not  result  in  the  establishment  of  a single 
developmental  assurance  methodolgy  or  approach.  Rather  it  explored  a number  of 
valid  methodologies  and  approaches.  It  was  suggested  by  the  workshop  participants 
that  a combination  of  these  approaches  into  a new  framework  may  result  in  a useful 
methodology.  This  combination  of  valid  approaches,  perhaps  with  the  development  of 
some  new  methods,  could  provide  an  extremely  effective  developmental  assurance 
framework. 

The  framework  for  developmental  assurance  must  cover  all  stages  and  aspects  of  the 
design,  implementation  and  delivery  processes. 

There  is  a considerable  legacy  of  relevant  tools  and  methodologies  exist  which  should 
provide  a solid  basis  for  developmental  assurance.  These  include: 

Capability  Maturity  Models 

ISO  9000-3 

Formal  methods 

Informal  methods  (object  oriented  etc.). 

Developmental  assurance  methods  must  support  some  form  of  metric  to  assess 
performance  and  quality  improvement. 


General  Issues 


The  participants  expressed  concern  about  a number  of  general  developmental 
assurance  Issues.  The  level  of  committment  from  the  government  agencies  was 
unclear.  The  roles  the  government  agencies  were  to  take  in  the  development  of  a 
developmental  assurance  scheme  was  also  unclear. 

The  participants  were  also  concerned  about  the  inital  costs  of  implementing  a 
developmental  assurance  scheme.  Costs  of  required  resources  from  both  the 
government  agencies  and  the  vendors  were  discussed.  Some  participants  felt  that  a 
developmental  assurance  scheme  would  place  a heavy  burden  on  the  vendors.  There 
was  also  some  discussions  about  the  demonstrable  trustworthiness  of  the  vendors. 
Some  particpants  felt  that  it  would  not  be  acceptable  to  simply  rely  on  the  word  of  the 
vendor  and  that  a third  party  review  of  vendor  claims  would  always  be  required. 
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The  level  of  detail  required  for  both  the  scheme  and  the  vendor  documentation  was 
discussed.  A great  deal  of  guidance  documentation  will  be  required. 

Since  there  were  very  few  vendors  In  attendance,  the  commitment  to  a developmental 
assurance  scheme  by  the  vendors  was  questioned.  It  was  unclear  whether  or  not  the 
vendors  would  accept  a developmental  assurance  scheme. 

A lengthy  discussion  about  legal  liabilities  and  insurance  coverage  took  place  during 
the  workshop. 


Recommended  Actions 

The  North  American  and  European  sponsors  will  reflect  on  the  results  of  the  workshop, 
and  consider  further  action.  It  was  suggested  that  an  international  working  group  be 
formed  to  further  explore  the  developmental  assurance  concept. 

A significant  number  of  participants  indicated  that  they  would  be  able  to  provide  further 
support  for  developing  the  Ideas  of  the  workshop. 

The  opinion  of  the  vendors  and  system  Integrators  not  represented  at  the  workshop 
should  be  actively  sought  by  the  sponsors,  perhaps  through  an  additional  workshop. 
Success  of  a developmental  assurance  scheme  will  greatly  depend  on  getting  support 
from  the  major  vendors  and  Integrators. 
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Appendix  A 

Papers  Received  from  the  United  States 


Some  Reflection  on  Development  Assurance 

Susan  Rose  Childers 
Computer  Sciences  Corporation 
Hanover,  Maryland 

Establishing  a Unified  Framework  for  Expressing  Developmental  Assurance 
Requirements  in  the  Information  Technology  Security  Evaluation  Common  Criteria 

Ron  S.  Ross,  Terry  Mayfield,  Stephen  R.  Welke,  and  John  M.  Boone 
Institute  for  Defense  Analyses 
1801  N.  Beauregard  Street 
Alexandria,  VA  223311-1772 


Specification  fora  Unified  Standard:  Integration  of  the  Common  Criteria  with  the  ISO 
9000-3  Standard 

Ed  Kusik 

Rockwell  Space  Operations  Company 

600  Gemini  MS#  R11A 

Houston,  TX  77058 

Tel:  713.282.2566 

Fax:  713.282.4575 

eMail:  egkusik@rsochou.rockwell.com 

Donald  L.  Evans 

Unisys  Government  Systems 

600  Gemini  MS# 

Houston,  TX  77058 
Tel:  713.282.4050 
Fax:  713.282.4575 
eMail:  dlevans@rsochou.rockwell.com 
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Summary  Paper  - Product  Assurance:  An  Operational  Perspective 

Ronald  E.  Helsley 
Sr.  Systems  Engineer 

AlliedSignal  Technical  Services  Corporation 

600  Gemini  MS#  B81A-555 

Houston,  TX  77058 

Tel:  713.282.2504 

Fax:  713.282.4575 

rehelsle@rsochou.rockwell.com 

Donald  L.  Evans 

Unisys  Government  Systems 

600  Gemini  MS# 

Houston,  TX  77058 
Tel:  713.282.4050 
Fax:  713.282.4575 
eMail:  dlevans@rsochou.rockwell.com 

The  New  Alliance:  Gaining  on  Security  Assurance 

Rene  Sanchez 

Rockwell  Space  Operations  Company 

600  Gemini  MS#  R11A 

Houston,  TX  77058 

Tel:  713.282.4589 

Fax:  713.282.4575 

eMail:  r?sanche@rsochou. rockwell.com 

Donald  L.  Evans 

Unisys  Government  Systems 

600  Gemini  MS# 

Houston,  TX  77058 
Tel:  713.282.4050 
Fax:  713.282.4575 
eMail:  dlevans@rsochou.rockwell.com 

Position  Paper  for  the  International  Workshop  on  Developmental  Assurance 

Stan  Kurzban 
62  Pond  View  Lane 
Chappaqua,  New  York  10514 
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Quality  Management  Systems  Support  Trusted  Software 
Timothy  R.  Stacey 

Science  Applications  International  Corporation 

600  Gemini  MS#  C56B 

Houston,  TX  77058 

Tel:  713.282.4423 

Fax:  713.282.4575 

eMail:  staceyt@orvb.saic.com 


Developmental  Assurance  for  Commercial  Products 
Steven  B.  Lipner 

Trusted  Information  Systems,  Inc. 

Glenwood,  MD 

Application  of  Trusted  Technology  in  the  Development  of  Tactical  Systems 

Diane  M.  Bishop 
Computer  Sciences  Corporation 
1301  Virginia  Drive,  Fourth  Floor 
Ft.  Washington,  PA  19034 

The  International  Information  Highway:  Its  Impact  on  Security  and  The  Assurance 
Question 


Developmental  Assurance:  Its  Nature,  Need,  and  Means 
Guy  King 

Computer  Sciences  Corporation 
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Acceptance  of  the  Security  Engineering  Capability  Maturity  Model 

Captain  Julie  L Connolly,  USAF 
INFOSEC  Systems  Engineering  Office 
National  Security  Agency 
Fort  Meade,  MD  20755 
Tel;  (410)684-7374 
JLConnolly@dockmaster.ncsc.mil 

An  International  Red  Team  for  Information  Technology  Security 

Wilson  F.  Engel,  III,  Ph.D. 

Research  Director 
INRI 


Position  Paper  on  Developmental  Assurance 
Gary  Kincaid 

McDonnell  Douglas  Aerospace 
8201  Greensboro  Dr. 

McLean,  VA  22102 

Tel:  703.883.3935 

Gary_Kincaid@MDAISS.MDC.COM 

Trade-Offs  in  Establishing  a Software  Process  Security  Standard 

Edward  G.  Amoroso  and  Howard  M.  Israel 
Secure  Systems  Department,  AT&T  Bell  Laboratories 
Whippany,  New  Jersey  07981  - USA 
Te:  (201)386-{6398  4678} 

{e.amoroso  h.israel}@att.com 

Development  Assurance  versus  Evaluation  Assurance:  What  can  really  be  gained? 
Noelle  McAuliffe 

Trusted  Information  Systems,  Inc. 

Glenwood,  MD 
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An  Organizational  Approach  to  Developing  Quality  Assurance  Methods  for  Gaining 
Security  Assurance  in  t Electric  Utility  Industry 

Art  Maria 

Puget  Sound  Power  and  Light  Company 
MS-OBC/07N  P.O.  Box  97034 
Bellevue,  Washington  98004 
maria@puget.com 


Technical  and  Policy  Position  on  Developmental  Assurance 

Steven  Szep 
K-Systems,  Inc. 

P.  0.  Box  269 
Lambertville,  NJ  08530 
Tel:  609.397.3288 

Developmental  Assurance  and  Software  Quality  Assurance,  A Common  Ground 

Jennie  Benson 
Lockheed  Austin  Division 
P.O.  Box  17100 
Austin,  Texas  78748-7100 


Position  Paper  on  Developmental  Assurance  for  Security  Products 

Ranwa  Hadda  and  Deborah  Downs 
Aerospace  Corporation 
P.O.  Box  92957 
Los  Angeles,  CA  90009-2957 
Tel:  310  336-5288 

Additional  Considerations  for  Reducing  the  Dependency  upon  Evaluation  Assurance 
through  Development  Assurance 

Donald  Schmidt 
Datmedia  Corp. 

Nashua,  NH 
Tel:  603  886  -1570 
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Position  Paper  on  the  Use  of  Developmental  Assurance  to  Replace  Evaluation 

Richard  Allen,  Anthony  Datel 
Oracle  Corporation 
500  Oracle  Parkway 
Box  659405 

Redwood  Shores,  CA  94065 

rallen@oracle.com 

adatel.uk@oracle.com 

Evaluating  Systems  Composed  of  Certified  Elements 

Penny  Klein 

DISA/CISS 

Tel;  703  756-7918 

DoD  Information  Technology  Security  Certification  and  Accreditation  Process 
(DITSCAP) 

Penny  Klein 

DISA/CISS 

Tel:  703  756-7918 

Process  Assurance 

Lisa  A.  Gallagher 

CSC  Professional  Services  Group 

1340  Ashton  Road,  Suite  E 

Hanover,  MD  21076 

Phone;  (410)  859-2862 

FAX:  (410)859-2859 

An  Assurance  Taxonomy 

Douglas  J.  Landoll,  David  R.  Wichers,  Carl  A.  Souba 
landoll@arca.md.com,  wichers@arca.md.com,  souba@arca.md.com 
Area  Systems,  Inc. 

10320  Little  Patuxent  Parkway,  Suite  1005 
Columbia,  MD  21044 
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Security  Engineering  Capability  Maturity  Model:  A Method  for  Assessing  Process 
Assurance 

Karen  M.  Ferraiolo 
Area  Systems,  Inc. 

8229  Boone  Blvd.,  Suite  610 
Vienna,  VA  22182 
Tel:  703.734.5611 
eMail:  ferraiolo@arca.va.com 

Assurance  is  an  N-Space  (Where  N is  Hopefully  Small) 

Jeffrey  Williams,  Joel  Sachs,  Douglas  Landoll,  Diann  Carpenter 
williams@arca.va.com,  sachs@arca.md.com,  landoll@arca.md.com, 
carpenter@arpa.md.com 
Area  Sustems,  Ind. 

8229  Boone  Blvd.,  Suite  610 
Vienna,  VA22182 
Tel:  703.734.5611 

Unking  Digital  Signatures  with  Manual  Signatures 

Viktor  E.  Hampel,  James  P.  Craft,  and  Robert  D.  Smith,  Jr. 

Systems  Research  and  Applications  Corporation 

1 5th  Street  North 

Arlington,  BA  22201 

Tel:  703.681.0128 

Fax:  703.681.0165 

Building  Security  and  Quality  into  System  Architectures 

John  Voltmer 
The  Solution  Center 
5723  Twin  Brooks  Drive 
Dallas,  Texas  75252 
Tel:  214  447-0666 

Position  on  Using  Quality  Assurance  Methods  to  Gain  Security  Assurance 

Sue  LeGrand,  MS,  CISSP 
72  Harbor  Lane 
Kemah,  TX  77565 
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Electronic  Labeling  of  Digital  Products  (Proposal  for  an  International  Protection 
Standard  for  Digital  Products) 

Victor  E.  Hampel 

Consultant  and  Senior  Technical  Advisor  to  the 
Office  of  the  Secretary  of  Defense  (AT&T/DATDC) 

5109  Leesburg  Pike,  Suite  701 
Tel:  703.681.0128 
Fax:  703.681.0165 

Position  Paper  Concerning  the  Identification  and  Development  of  the  Requisite 
Processes  and  Methods  for  Developmental  Assurance 

Robert  A.  Tannert 

Galaxy  Computer  Services,  Inc. 

for  the  Department  of  Energy 

Supply  and  Demand  Security 

Marshall  D.  Abrams,  Jay  J.  Kahn,  Lester  J.  Fraim,  and  James  G.  Williams 
The  MITRE  Corporation 

Contingency  Plans  - Murphy  was  an  Optimist 

Jay  J.  Kahn,  Marshall  D.  Abrams,  Lester  J.  Fraim,  and  James  G.  Williams 
The  MITRE  Corporation 

How  Do  You  Decide  How  Much  Assurance  is  Enough? 

Marshall  D.  Abrams,  Jay  J.  Kahn,  Lester  J.  Fraim,  and  James  G.  Williams 
The  MITRE  Corporation 

Developmental  Assurance  Benefits  of  the  Capability  Maturity  Model 
Craig  A.  Schiller 

Science  Applications  International  Corporation 

600  Gemini  MS#  C56B 

Houston,  TX  77058 

Tel:  713.282.6650 

Fax  713.282.4575 

eMail:  schillerc@orvb.salc.com 
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The  Need  for  'Personal  Assurance'  of  IT  Security  Specialists 
Richard  C.  Koenig,  Program  Director 

International  Information  Systems  Security  Certification  Consortium  (ISC)2 

Suite  1000,  Park  View  Office  Tower 

Worcester,  MA  01609-1946,  U.S.A 

Tel:  508.842.0452 

eMail:  72632.3207@compuserv.com 

The  ISSA-Sponsored  Committee  to  Develop  and  Promulgate  Generally  accepted 
System  Security  Principles  (GSSP) 

Will  Ozler 

Ozler,  Peterse,  & Associates 
870  Market  St.,  Suite  1001 
San  Francisco,  CA  94102 
Tel:  415.989.9092 
Fax:  415.989.9101 
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Papers  Received  from  Canada 

Improving  Security  Through  Vendor  Participation  - A Position  Paper 

William  Bherley  and  Richard  Doucette 
Brierley,  Doucette  & Simpson  Consulting  Ltd. 

1308  Wellington  Street 
Ottawa  ON  K1 Y 3B2 
Canada 

eMail:  wbrierley@bix.com,  rdoucett@cse.dnd.ca 

Position  Paper  for  International  Invitational  Workshop  on  Developmental  Assurance 

Dan  Craigen 
ORA  Canada 

267  Richmond  Road,  Suite  100 
Ottawa,  Ontario  K1Z  6X3 
Canada 

eMail:  dan@ora.on.ca 
Tel:  +1  613/722-3700 

Developmental  Assurance  and  Risk  Management 

D.  S.  Crawford 
D Secur  Ops  4-3 
Department  of  National  Defence 
Ottawa,  Canada 
Tel:  (613)945-7255 
eMail:  dcrawfor@cse.dnd.ca 

The  Role  of  ISO  9000  - Quality  Assurance  in  Providing  Security  Product  Assurance 

Terry  Fletcher,  B.  Eng.,  M.  Sc 
AEPOS  Technologies  Corporation 
601  - 116  Albert  Street 
Ottawa,  Ontario 
KIP  5G3 
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Developmental  Assurance  a Developmental  Process 

Kimberly  Dwight  Greenizan 
INFOSEC  Engineering 
Computing  Devices  Canada 
1020  - 68th  Avenue  N.E. 

Calgary  Alberta 
T2E  8P2 

Developmental  Assurance  in  Product  Evaluation 
J.  P.  Hopkinson 

Unification  of  Security  Modeling  Techniques 

William  Sandberg-Maitland 
Senior  Consultant 

CGI  Information  Systems  and  Management  Consultants  Inc. 

Ottawa,  Ontario,  Canada 

Tel:  (613)234-2155 

Fax:  (613)234-6934 

eMail:  wsandber@manitou.cse.dnd.ca 

Position  Paper  for  International  Invitational  Workshop  on  Developmental  Assurance 

Gary  Maxwell 
DOMUS  Software  Limited 
1. Cooper  Street,  5th  Floor 
Ottawa,  Ontario,  Canada 
K2P  0G5 

Tel:  (613)230-6285 
Fax:  (613)230-3274 

The  Use  of  Risk  Assessment  to  Select  an  Appropriate  Product  Development  Process 

Tim  Moses,  Ph.  D. 

AEPOS  Technologies  Corporation 
601  -116  Albert  St., 

Ottawa,  Ontario 
KIP  3G4 
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Developmental  Assurance  Proposal 

Andrew  Robison 
CSE,  Canada 

The  Development  of  Functionality,  Assurance,  and  Evaluation  Complexity  and 
Suggestions  for  Simplification 

Wm.  M.  Steward,  Ph.  D. 

Martin  Marietta  Canada 
Ottawa,  Ontario 
Canada,  K1P6L2 
StewartWM  @aol.com 

Julie  Hass,  B.S.E.E 
Martin  Marietta  Astronautics 
2025  Research  Parkway 
Colorado  Springs,  CO 
U.S.A.,  80920 

Elton  Ashby,  M.S. 

Martin  Marietta  Canada 
Ottawa,  Ontario 
Canada,  K1P  6L2 

Trust  through  Assurance  (Assurance  Through  Experience) 

Paul  Teeple 

Officer  in  Charge 

EDP  Security  Branch 

Royal  Canadian  Mounted  Police 

Tel:  (613)  993-8783 

B1  Security  Verification  & Validation:  3 DAYS  VERSUS  3 YEARS 

Peter  P.C.H.  Kingston,  B.Sc,  ISP,  CISSP 
The  Kingston  Group  & Associates  Limited 


Developmental  Assurance  Workshop  Proceedings 


25 


26 


Papers  Received  from  Europe 


I BAG  Contribution  to  International  Invitational  Workshop  on  Development  Assurance 
Chris  Amery 

INFOSEC  Business  Advisory  Group  (IBAG)/ZERGO  LTD. 

The  Square 
Basing  View 

UK-RG21  2EQ  Basingstoke 

Potential  Contribution  of  Conformance  Testing  Methods  to  Security  Evaluation 
Roy  Cadwallader, 

Managing  Director,  ENACT  Ltd.,  UK 

International  Invitational  Workshop  on  Developmental  Assurance  - Summary  Paper 

Senior  Consultant  Tor  Olav  Grotan,  Senior  consultant  Kenneth  R.  Iversen,  dr  ing 
Norwegian  Centre  for  Medical  Informatics  (KITH) 

Medisinsk  Teknisk  Senter 
7005  Trondheim,  Norway 
Tel:  +47  73  5986  00 
Fax:  +47735986  11 
email:  tor.grotan@mtfs.unit.no 

kenneth.iversen@mtfs.unit.no 

No  title 

Subject:  The  BT  System  Security  Evaluation  and  Certification  Scheme 
Peter  Harding 

Manager  Electronic  Security  Projects 

BT  Commercial  Security  Unit 

Emsworth  ATE 

Warblington  Rd 

EMSWORTH 

Hants  PO10  7HQ 

United  Kingdom 

Tel:  +44  243  370682 

Fax:  +44  243  370681 
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Paper  for  Vendor  Assurance  Workshop:  A Total  Package  on  Information  Security 
Nigel  Hickson 

Management  and  Technology  Division 
Department  of  Trade  and  Industry 

Developmental  Assurance,  the  Need  and  a Possible  Framework 
Per  Moving, 

Saab-Scania  AB,  Sweden 

Security  Evaluation  in  an  OS/  Context 

Gary  Jones 
EDS 

Pembroke  House 

Pembroke  Broadway 

Camberle 

Surrey 

GU15  4UF 

UK 

An  Integrative  Approach  and  a Proposal  for  a Metric 
Dr.  Heinrich  Kersten 

BSI  - Bundesamt  fur  Sicherheit  in  der  Informationstechnik, 

Bonn,  Germany 

Tuning  Process  Capability  to  Assure  Required  Security  Levels 
Lech  Krzanik 

Department  of  Informatin  Processing  Science 
University  of  Oulu 
Linnanmaa,  FIN-90570  Oulu, 

Finland 

Tel:  +358.81  553  1922 
Fax:  +358.81  553  1890 
eMail  krzanik@rieska.oulu.fi 
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Jouni  Simila 

CCC  Software  Professionals  Oy 
Lentokentantie  15,  FIN-90460  Oulunsalo 
Finland 

Tel:  +358.81  481122 
Fax:  +358.81  481168 

Position  Paper  on  Developmental  Assurance 

Helmut  Kurth 
lABG 

Einsteinstr.  20 
D-85521  Ottobrunn 
Germany 

eMail  kurth@ite.iabg.de 

To  Build  an  Affordable  Software  Engineering  Environment  for  the  Development  of 
Secure  Systems 

Amuary  LEGAIT 
SYSECA 

315,  Bureaux  de  la  Colline 
92213  Saint  Cloud  Cedex 
France 

Tel:  +33  1 49  1 1 73  85 
Fax:  +33  1 49  1 1 76  45 
eMail  amaury@syseca.fr 
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Security  Quality  through  Security  Engineering  Methodology 

Michele  Zurfluh-Vallant,  Jean-Marc  Lermuzeaux 
Alactel  Alsthom  Recherche 

Response  to  Call  for  Papers  - International  Invitational  Workshop  on  Developmental 
Assurance 

Wendy  R.  London 

Senior  Principal  Consultant  - CDG 

Oracle  Corporation  UK 

Statement  of  Position  on  Self  Certification  in  ITSEC 

Unknown  author 
PC  Security  Limited 
The  Old  Court  House 
Trinity  Road 
Marlow,  Bucks  SL7  SAN 
Tel:  0628  890390 
Fax:  0628  890116 

ISO  9000  - Quality  Standard  Based  Network  Services  Security  Architecture 

Mr.  Juha  E.  Miettinen 
Manager,  Information  Security 
Telecom  Finland 
2.  0.  Box  106 
FIN-00511  Helsinki 
Finland 

Tel:  +358  0 2040  3877 
Fax:  +358  0 2040  3887 
eMail:  Juha.Miettinen@qm.ajk.tele.fi 

The  Place  of  Developmental  Assurance 

Dr.  R.  Pizer 

Head  of  Certification  Body 
UK  ITSEC  Scheme,  PO  Box  152 
Cheltenham  GL52  5UF 
United  Kingdom 
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Summary  Paper  for  International  Workshop  on  Development  Assurance 
Richard  Polis 

Groupe  de  Management  Geneve 

Geneva  Management  Group 

Chemin  du  Levrioux 

Case  Postale  23 

CH  - 1263  Grassier 

Suisse 

Tel:  (022)367  10  93 
Fax:  (022)  367  1 1 41 
Telex:  419  503 

Practical  Experience  With  Evaluation  Assurance  of  Commercial  Security  Products 
Bart  PRENEEL 

Katholieke  Universiteit  Leuven,  Belgium  and  University  of  California  at  Berkeley 

International  Harmonization  of  Information  Security  Assessments 

Folkert  RIENSTRA  (Chairman  ITQS) 

KEMA 

P.  0.  Box  9035 

6800  ET  ARNHEM 

The  Netherlands 

Tel:  +31  85  56  62  23 

Fax:  +31  85  56  32  05 

eMail:  f.rlenstra(A)mta3.kema.nl 

Security  Evaluation,  Quality  Assurance  and  Conformance 

Bronia  Szczygiel 
Data  Security  Group 
NPL 

Summary  Paper  for  the  Developmental  Assurance  Workshop 
Ian  Uttridge 

Logica  Defence  and  Civil  Government  Ltd 
68  Newman  Street 
London  W1A4SE  UK 
uttridgel(gLgsh.  Logica.com 
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International  Invitational  Workshop  on  Developmental  Assurance  - A Position  Paper  on 
Vendor  Assurance 

Unknown  author 

Admiral  Management  Services  Limited 
Kings  Court 
91-93  High  Street 
Camberley,  Surrey  GUI 5 3RN 

Developmental  Assurance,  the  Need  and  a Possible  Framework 
Per  Moving, 

Saab-Scania  AB,  Sweden 
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